diff --git a/fast/stages/00-bootstrap/automation.tf b/fast/stages/00-bootstrap/automation.tf
index 11a8b34d..bba34d06 100644
--- a/fast/stages/00-bootstrap/automation.tf
+++ b/fast/stages/00-bootstrap/automation.tf
@@ -36,7 +36,9 @@ module "automation-project" {
   # machine (service accounts) IAM bindings
   iam = {
     "roles/owner" = [
-      module.automation-tf-bootstrap-sa.iam_email,
+      module.automation-tf-bootstrap-sa.iam_email
+    ]
+    "roles/cloudbuild.builds.editor" = [
       module.automation-tf-resman-sa.iam_email
     ]
     "roles/iam.serviceAccountAdmin" = [
@@ -45,6 +47,9 @@ module "automation-project" {
     "roles/iam.workloadIdentityPoolAdmin" = [
       module.automation-tf-resman-sa.iam_email
     ]
+    "roles/source.admin" = [
+      module.automation-tf-resman-sa.iam_email
+    ]
     "roles/storage.admin" = [
       module.automation-tf-resman-sa.iam_email
     ]
diff --git a/fast/stages/00-bootstrap/outputs.tf b/fast/stages/00-bootstrap/outputs.tf
index cfb2460b..91045865 100644
--- a/fast/stages/00-bootstrap/outputs.tf
+++ b/fast/stages/00-bootstrap/outputs.tf
@@ -57,6 +57,7 @@ locals {
       federated_identity_providers = local.wif_providers
       outputs_bucket               = module.automation-tf-output-gcs.name
       project_id                   = module.automation-project.project_id
+      project_number               = module.automation-project.number
     }
     custom_roles = local.custom_roles
   }